The Long History and Short Future, Of the Password #WorldPasswordDay

In Western history, the concept of the password can be traced as far back as the so-called “shibboleth incident” in the 12th chapter of the biblical Book of Judges. In the chaos of battle between the tribes of Gilead and Ephraim, Gileadite soldiers used the word “shibboleth” to detect their enemies, knowing that the Ephraimites pronounced it slightly differently in their dialect. The stakes were life and death, we’re told, in a confrontation between Gileadites and a possible Ephraimite fugitive:

“Then said they unto him, ‘Say now Shibboleth’; and he said ‘Sibboleth’; for he could not frame to pronounce it right; then they laid hold on him, and slew him at the fords of the Jordan.”

Password security was introduced to computing in the Compatible Time-Sharing System and Unics (Unix) systems developed at the Massachusetts Institute of Technology and Bell Laboratories in the 1960s. Today we use passwords to restrict access to our personal computers and computing devices, and to access remote computing services of all kinds. But a password is not a physical barrier or obstacle, like a lock on a gate. Rather, it is a unit of text: that is to say, written language. As an important part of the linguistic history of computers, password security links my research in the history of writing to my interest in the early history of computing. But it is an episode in that history that may now be coming to an end.

When I use a password, it also stands in my place. The password represents me within a virtual or nonphysical system, regardless of whether I am physically present, entering a passcode on a smartphone or a PIN code at an ATM, or physically absent, connecting remotely to my bank with a web browser. Anyone else who knows my password can also use it this way.

This characteristic of password security, which has its roots in writing’s (necessary and useful) dissociation from the writer’s physical presence, is also the root of its problems. Poorly chosen and repeatedly used passwords are easy to guess, either through computational techniques (such as the “dictionary attack,” which might test all known words and word combinations in a particular language) or so-called social engineering (that is, tricking someone into disclosing a password).

Once it has been guessed, there isn’t much to prevent a password from being used for unauthorized purposes, at least until the theft is discovered. But even the strongest password, a sequence of alphanumeric and punctuation characters utterly devoid of linguistic meaning and long enough to defeat automated password guessing by software running on the fastest processor hardware available to a professional criminal (these days, that means international organized crime), can be used anywhere and at any time once it has been separated from its assigned user.

Looking to introduce new methods of authentication, device manufacturers are moving toward biometrics, from the fingerprint sensors on any recent smartphone to Android 4.0’s Face Unlock feature, iris or retina scanningand others. It seems unlikely that password security will last anywhere near another half-century.